DEBIAN-CVE-2025-8860

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-8860

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-8860.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-8860

Upstream

CVE-2025-8860

Published

2026-02-18T21:16:22.260Z

Modified

2026-02-19T17:21:42.353522Z

Severity

3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFIVARSREGBUFFERSIZE, the .write callback uefi_vars_write is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFIVARSREGPIOBUFFER_TRANSFER, the .read callback uefi_vars_read returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.

References

https://security-tracker.debian.org/tracker/CVE-2025-8860

Affected packages

Debian:13 / qemu

Package

Name: qemu
Purl: pkg:deb/debian/qemu?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:10.0.3+ds-4

Affected versions

1:10.*

1:10.0.2+ds-2

1:10.0.2+ds-2+deb13u1~bpo12+1

1:10.0.2+ds-2+deb13u1

1:10.0.3+ds-0+deb13u1

1:10.0.3+ds-1

1:10.0.3+ds-2

1:10.0.3+ds-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-8860.json"

Debian:14 / qemu